Criminals took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Equifax said.

By:StaffTorstar News Service Published on

Equifax Inc. has yet to disclose how many Canadians were impacted by a massive cyberattack on about 143 million of the credit reporting agency’s customers.

Hackers targeted names, Social Security numbers, birth dates, addresses and driver’s licence numbers, Equifax said in a statement. “Limited personal information” from residents in Canada and the U.K. was also accessed, it said.

But David Harrison, a former physics professor at the University of Toronto, received a suspicious letter claiming to be from Equifax and believes his information may have been hit by the breach.

“I thought it was some sort of a scam, so I’ve been checking my bank account every day online,” Harrison said.

The letter indicated there was “new activity” in Harrison’s credit file and a suspicious charge of $88. It provided a link to a website that his web browser automatically blocked.

The letter was dated Aug. 24 but Harrison received it on Tuesday, about a week after he decided to cancel his $20 monthly Equifax subscription, billed on their website as a “comprehensive credit monitoring and identity theft protection product.”

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax CEO Richard Smith said in a statement. “I apologize to consumers and our business customers for the concern and frustration this causes.”

Credit card numbers for about 209,000 consumers were also accessed in the breach, the company said. Equifax shares dropped more than 8 per cent in after-hours trading.

According to Bloomberg, three Equifax executives, including the chief financial officer John Gamble, sold shares a few days before the hack was announced.

Equifax organizes, assimilates and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide, according to a Sept. 5 press release. Its database includes employee data contributed from more than 7,100 employers.

Equifax discovered the hack July 29, but waited until Thursday to warn consumers. The Atlanta-based company declined to comment on the delay, but it’s not unusual for U.S. authorities to request a delay in public notice for the purposes of their investigation.

Intruders took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Equifax said.

“It’s a huge deal,” said Tim Crosby, senior consultant with security-assessment firm Spohn. “You would expect these guys to have compartmentalized this data far enough away from a web server — that there would not be any way to directly access it.”

Equifax Canada spokesperson Tom Carroll said the company is not providing any further information on the impact of the hack in Canada. Carroll said updates on the breach will be posted on www.equifaxsecurity2017.com.

The website allows users verify if their information was potentially affected, and how to sign up for the free credit-file monitoring and identify-theft protection offered by Equifax in light of the breach.